How can I replace the command by other commands or set commands?
STC, NOT, CLC, INC, DEC, ADD, SUB, XOR, ROL, ROR, NEG, CMP, MOV ::)
You mean you want to teach Masm a different syntax, such as MoveMyData from 123 to eax? No problem...
include \masm32\include\masm32rt.inc
from equ <x1,>
to equ <,x2,>
MoveMyData equ <%mmd>
MoveMyData MACRO dummy1:REQ, src:REQ, dummy2:REQ, dest:REQ
mov dest, src
ENDM
.data
MyVar dd 123
.data?
AnyVar dd ?
.code
hw db "Hello World", 0
start:
print "eax="
MoveMyData from 123 to eax
print str$(eax)
getkey ; use getkey instead of opt_wait 1 if you want to launch the prog from Explorer
exit ; short form of invoke ExitProcess, 0
end start
Quote from: 0x401000 on April 05, 2009, 02:38:16 PM
How can I replace the command by other commands or set commands?
STC, NOT, CLC, INC, DEC, ADD, SUB, XOR, ROL, ROR, NEG, CMP, MOV ::)
You could replace some instructions with others that achieve the same effect, depending on which effects you want and which side-effects you can tolerate..
STC sets the carry flag, so does any arithmetic operation that generates a bit to carry - e.g. (eax=0) sub eax,1, or (eax=ffffffff) add eax,1
CLC goes for any arithmetic that doesn't generate a carry bit.
NOT can be achieved by XORing with FFFFFFFFh
and there are various others that should be easy enough to figure out.. And if you're creative then you can make them really crazy.
I would guess this is meant for obfuscation purposes?
No, I mean
; ---------------------------------------------------------------------
for mov
push [reg1]
pop reg2
xor reg2,reg2
add reg2,[reg1]
for cmp
test reg,reg
jnz loop
or reg,reg
jnz loop
and so on :boohoo:
Quote from: 0x401000 on April 05, 2009, 02:38:16 PM
How can I replace the command by other commands or set commands?
STC, NOT, CLC, INC, DEC, ADD, SUB, XOR, ROL, ROR, NEG, CMP, MOV ::)
Hi,
Do you mean something like replacing an instruction's effects by a
(nearly) equivalent effect with a different set of instructions?
CMP EAX,EBP ; Non-destructive subtraction
; Replaced by
PUSH EAX
SUB EAX,EBP ; Real subtraction
POP EAX ; But you restore EAX.
; Or
ROL EAX,1 ; Rotate high bit into low bit (and all the others)
; Replaced by
ADD EAX,EAX
ADC EAX,0 ; Tweak low bit.Regards,
Steve N.
Quote from: Tedd on April 05, 2009, 03:31:19 PM
Quote from: 0x401000 on April 05, 2009, 02:38:16 PM
How can I replace the command by other commands or set commands?
STC, NOT, CLC, INC, DEC, ADD, SUB, XOR, ROL, ROR, NEG, CMP, MOV ::)
You could replace some instructions with others that achieve the same effect, depending on which effects you want and which side-effects you can tolerate..
STC sets the carry flag, so does any arithmetic operation that generates a bit to carry - e.g. (eax=0) sub eax,1, or (eax=ffffffff) add eax,1
CLC goes for any arithmetic that doesn't generate a carry bit.
NOT can be achieved by XORing with FFFFFFFFh
and there are various others that should be easy enough to figure out.. And if you're creative then you can make them really crazy.
I would guess this is meant for obfuscation purposes?
Thanks for your reply, I would like to consider different methods
Yeah, it gets more and more difficult to cheat these heuristic anti-virus scanners ::)
hi,
Quote from: 0x401000 on April 05, 2009, 03:40:54 PM
I would like to consider different methods
->
;neg
xor eax,-1
lea eax,[eax+1]
;ror
mov ecx,n
shrd eax,eax,cl;imm8
;rol
mov ecx,n
shld eax,eax,cl;imm8
Yes this is for obfuscation purposes :thumbu
:bg
It only works in ascii source code, not in binary. For making the binary harder to read this technique is worthless. Opcodes are hard wired into the processor and if you need operations of that type, you must use the ones that are their, you cannot create your own.
My guess is that he wants to obfuscate binary code by replacing an instruction like MOV eax,10 with an equivalent set of multiple instructions in order to make it harder for humans to reverse and understand something logical from a disassembly of his code.
This could be used to protect your own software against reversing (but has a big speed panalty and it is gray area anyway) OR unfortunately he seems to "think" this can be used to protect malware code against AV software detection.
It is this later case that recommends that this kind of guy should NOT get any help with tips and examples on such techniques here.
Anyway it is purposeless because AV's have a set of more powerful techniques for detecting malware and in fact such obfuscation techniques do ease the detection and "tip" the AV right from the start and it just puts more "blame" on honest ASM programmers.
So far, every post (every question really, he has never offered to help anyone else here) that 0x401000 has ever made has been shady. Sendmail program to google? Requesting the Solar_OS source? Code obfuscation?
http://www.masm32.com/board/index.php?action=profile;u=15338;sa=showPosts
Even Drizz helps other people...
Ouch, somehow I missed the fact that all of his post are so "bad oriented" so to speak...
Considering his post history... maybe Hutch should pull the plug off for this account...
Topic locked.