News:

MASM32 SDK Description, downloads and other helpful links
MASM32.com New Forum Link
masmforum WebSite

Replacing the processor commands

Started by 0x401000, April 05, 2009, 02:38:16 PM

Previous topic - Next topic

0x401000

How can I replace the command by other commands or set commands?
STC, NOT, CLC, INC, DEC, ADD, SUB, XOR, ROL, ROR, NEG, CMP, MOV  ::)

jj2007

You mean you want to teach Masm a different syntax, such as MoveMyData from 123 to eax? No problem...

include \masm32\include\masm32rt.inc

from equ <x1,>
to equ <,x2,>
MoveMyData equ <%mmd>
MoveMyData MACRO dummy1:REQ, src:REQ, dummy2:REQ, dest:REQ
mov dest, src
ENDM

.data
MyVar dd 123

.data?
AnyVar dd ?

.code
hw db "Hello World", 0

start:
print "eax="
MoveMyData from 123 to eax
print str$(eax)
getkey ; use getkey instead of opt_wait 1 if you want to launch the prog from Explorer
exit ; short form of invoke ExitProcess, 0

end start

Tedd

Quote from: 0x401000 on April 05, 2009, 02:38:16 PM
How can I replace the command by other commands or set commands?
STC, NOT, CLC, INC, DEC, ADD, SUB, XOR, ROL, ROR, NEG, CMP, MOV  ::)

You could replace some instructions with others that achieve the same effect, depending on which effects you want and which side-effects you can tolerate..

STC sets the carry flag, so does any arithmetic operation that generates a bit to carry - e.g. (eax=0) sub eax,1, or (eax=ffffffff) add eax,1
CLC goes for any arithmetic that doesn't generate a carry bit.
NOT can be achieved by XORing with FFFFFFFFh
and there are various others that should be easy enough to figure out.. And if you're creative then you can make them really crazy.

I would guess this is meant for obfuscation purposes?
No snowflake in an avalanche feels responsible.

0x401000

No, I mean
; ---------------------------------------------------------------------
for mov
           push [reg1]
              pop reg2   

          xor reg2,reg2
                    add reg2,[reg1]

for cmp
                   test reg,reg
                      jnz  loop

                      or  reg,reg
                       jnz loop

and so on  :boohoo:

FORTRANS

Quote from: 0x401000 on April 05, 2009, 02:38:16 PM
How can I replace the command by other commands or set commands?
STC, NOT, CLC, INC, DEC, ADD, SUB, XOR, ROL, ROR, NEG, CMP, MOV  ::)

Hi,

   Do you mean something like replacing an instruction's effects  by a
(nearly) equivalent effect with a different set of instructions?


        CMP     EAX,EBP ; Non-destructive subtraction
; Replaced by
        PUSH    EAX
        SUB     EAX,EBP ; Real subtraction
        POP     EAX     ; But you restore EAX.

; Or
        ROL     EAX,1   ; Rotate high bit into low bit (and all the others)
; Replaced by
        ADD     EAX,EAX
        ADC     EAX,0   ; Tweak low bit.


Regards,

Steve N.

0x401000

Quote from: Tedd on April 05, 2009, 03:31:19 PM
Quote from: 0x401000 on April 05, 2009, 02:38:16 PM
How can I replace the command by other commands or set commands?
STC, NOT, CLC, INC, DEC, ADD, SUB, XOR, ROL, ROR, NEG, CMP, MOV  ::)

You could replace some instructions with others that achieve the same effect, depending on which effects you want and which side-effects you can tolerate..

STC sets the carry flag, so does any arithmetic operation that generates a bit to carry - e.g. (eax=0) sub eax,1, or (eax=ffffffff) add eax,1
CLC goes for any arithmetic that doesn't generate a carry bit.
NOT can be achieved by XORing with FFFFFFFFh
and there are various others that should be easy enough to figure out.. And if you're creative then you can make them really crazy.

I would guess this is meant for obfuscation purposes?


Thanks for your reply, I would like to consider different methods

jj2007

Yeah, it gets more and more difficult to cheat these heuristic anti-virus scanners ::)

qWord

hi,

Quote from: 0x401000 on April 05, 2009, 03:40:54 PM
I would like to consider different methods
->

;neg
xor eax,-1
lea eax,[eax+1]

;ror
mov ecx,n
shrd eax,eax,cl;imm8

;rol
mov ecx,n
shld eax,eax,cl;imm8
FPU in a trice: SmplMath
It's that simple!

0x401000

Yes this is for obfuscation purposes  :thumbu

hutch--

 :bg

It only works in ascii source code, not in binary. For making the binary harder to read this technique is worthless. Opcodes are hard wired into the processor and if you need operations of that type, you must use the ones that are their, you cannot create your own.
Download site for MASM32      New MASM Forum
https://masm32.com          https://masm32.com/board/index.php

BogdanOntanu

My guess is that he wants to obfuscate binary code by replacing an instruction like MOV eax,10 with an equivalent set of multiple instructions in order to make it harder for humans to reverse and understand something logical from a disassembly of his code.

This could be used to protect your own software against reversing (but has a big speed panalty and it is gray area anyway) OR unfortunately he seems to "think" this can be used to protect malware code against AV software detection.

It is this later case that recommends that this kind of guy should NOT get any help with tips and examples on such techniques here.

Anyway it is purposeless because AV's have a set of more powerful techniques for detecting malware and in fact such obfuscation techniques do ease the detection and "tip" the AV right from the start and it just puts more "blame" on honest ASM programmers.
Ambition is a lame excuse for the ones not brave enough to be lazy.
http://www.oby.ro

Mark Jones

So far, every post (every question really, he has never offered to help anyone else here) that 0x401000 has ever made has been shady. Sendmail program to google?  Requesting the Solar_OS source? Code obfuscation?

http://www.masm32.com/board/index.php?action=profile;u=15338;sa=showPosts

Even Drizz helps other people...
"To deny our impulses... foolish; to revel in them, chaos." MCJ 2003.08

BogdanOntanu

#12
Ouch, somehow I missed the fact that all of his post are so "bad oriented" so to speak...

Considering his post history... maybe Hutch should pull the plug off for this account...

Topic locked.

Ambition is a lame excuse for the ones not brave enough to be lazy.
http://www.oby.ro