Replacing the processor commands

[0x401000]

How can I replace the command by other commands or set commands?
STC, NOT, CLC, INC, DEC, ADD, SUB, XOR, ROL, ROR, NEG, CMP, MOV  ::)

[jj2007]

You mean you want to teach Masm a different syntax, such as MoveMyData from 123 to eax? No problem...

Code Select Expand

include \masm32\include\masm32rt.inc

from equ <x1,>
to equ <,x2,>
MoveMyData equ <%mmd>
MoveMyData MACRO dummy1:REQ, src:REQ, dummy2:REQ, dest:REQ
mov dest, src
ENDM

.data
MyVar dd 123

.data?
AnyVar dd ?

.code
hw db "Hello World", 0

start:
print "eax="
MoveMyData from 123 to eax
print str$(eax)
getkey ; use getkey instead of opt_wait 1 if you want to launch the prog from Explorer
exit ; short form of invoke ExitProcess, 0

end start


[Tedd]

How can I replace the command by other commands or set commands?
STC, NOT, CLC, INC, DEC, ADD, SUB, XOR, ROL, ROR, NEG, CMP, MOV  ::)

You could replace some instructions with others that achieve the same effect, depending on which effects you want and which side-effects you can tolerate..

STC sets the carry flag, so does any arithmetic operation that generates a bit to carry - e.g. (eax=0) sub eax,1, or (eax=ffffffff) add eax,1
CLC goes for any arithmetic that doesn't generate a carry bit.
NOT can be achieved by XORing with FFFFFFFFh
and there are various others that should be easy enough to figure out.. And if you're creative then you can make them really crazy.

I would guess this is meant for obfuscation purposes?

[0x401000]

No, I mean
; ---------------------------------------------------------------------
for mov
           push [reg1]
              pop reg2   

          xor reg2,reg2
                    add reg2,[reg1]

for cmp
                   test reg,reg
                      jnz  loop

                      or  reg,reg
                       jnz loop

and so on  :boohoo:

[FORTRANS]

How can I replace the command by other commands or set commands?
STC, NOT, CLC, INC, DEC, ADD, SUB, XOR, ROL, ROR, NEG, CMP, MOV  ::)

Hi,

   Do you mean something like replacing an instruction's effects  by a
(nearly) equivalent effect with a different set of instructions?

Code Select Expand


        CMP     EAX,EBP ; Non-destructive subtraction
; Replaced by
        PUSH    EAX
        SUB     EAX,EBP ; Real subtraction
        POP     EAX     ; But you restore EAX.

; Or
        ROL     EAX,1   ; Rotate high bit into low bit (and all the others)
; Replaced by
        ADD     EAX,EAX
        ADC     EAX,0   ; Tweak low bit.

Regards,

Steve N.

[0x401000]

How can I replace the command by other commands or set commands?
STC, NOT, CLC, INC, DEC, ADD, SUB, XOR, ROL, ROR, NEG, CMP, MOV  ::)

You could replace some instructions with others that achieve the same effect, depending on which effects you want and which side-effects you can tolerate..

STC sets the carry flag, so does any arithmetic operation that generates a bit to carry - e.g. (eax=0) sub eax,1, or (eax=ffffffff) add eax,1
CLC goes for any arithmetic that doesn't generate a carry bit.
NOT can be achieved by XORing with FFFFFFFFh
and there are various others that should be easy enough to figure out.. And if you're creative then you can make them really crazy.

I would guess this is meant for obfuscation purposes?

Thanks for your reply, I would like to consider different methods

[jj2007]

Yeah, it gets more and more difficult to cheat these heuristic anti-virus scanners ::)

[qWord]

hi,

I would like to consider different methods

->

Code Select Expand


;neg
xor eax,-1
lea eax,[eax+1]

;ror
mov ecx,n
shrd eax,eax,cl;imm8

;rol
mov ecx,n
shld eax,eax,cl;imm8


[0x401000]

Yes this is for obfuscation purposes  :thumbu

[hutch--]

 :bg

It only works in ascii source code, not in binary. For making the binary harder to read this technique is worthless. Opcodes are hard wired into the processor and if you need operations of that type, you must use the ones that are their, you cannot create your own.

[BogdanOntanu]

My guess is that he wants to obfuscate binary code by replacing an instruction like MOV eax,10 with an equivalent set of multiple instructions in order to make it harder for humans to reverse and understand something logical from a disassembly of his code.

This could be used to protect your own software against reversing (but has a big speed panalty and it is gray area anyway) OR unfortunately he seems to "think" this can be used to protect malware code against AV software detection.

It is this later case that recommends that this kind of guy should NOT get any help with tips and examples on such techniques here.

Anyway it is purposeless because AV's have a set of more powerful techniques for detecting malware and in fact such obfuscation techniques do ease the detection and "tip" the AV right from the start and it just puts more "blame" on honest ASM programmers.

[Mark Jones]

So far, every post (every question really, he has never offered to help anyone else here) that 0x401000 has ever made has been shady. Sendmail program to google?  Requesting the Solar_OS source? Code obfuscation?

http://www.masm32.com/board/index.php?action=profile;u=15338;sa=showPosts

Even Drizz helps other people...

[BogdanOntanu]

Ouch, somehow I missed the fact that all of his post are so "bad oriented" so to speak...

Considering his post history... maybe Hutch should pull the plug off for this account...

Topic locked.