(Protecting Applications Against Disassembly)
(The "non-conditional" conditional jump and other tricks)
(07 December 1997)
Courtesy of Fravia's page
of reverse engineering
Well, a minimum for protectionists' future scheme, I would say...
Fooling Disassemblers(Protecting Applications Against Disassembly)
I have recently been working on a disassembler and have thought about
the ways protectionists can fool them, pretty easily.
Note that disassemblers do not have artificial intelligence :-)
Approaches that disassemblers may be able to bypass:
1 - Jump statements jumping onto themselves
Suppose you had a part of your code that was never called.
You could put in an infinite loop:
(c) Snatch 1997. All rights reversed
0000: EB FF jmp 0000
0000: F4 hlt
The disassembler may loop forever, whereas with hlt it would not.
2 - Fake jump statements
If the next statement you plan to use is an inc, dec, call, jmp, or a
push and it begins with opcode FF. Try this:
0000: EB FF jmp 0001
0002: ?? ??
0000: 90 nop
0001: FF ?? inc,dec,call,jmp,push
This should confuse disassemblers.
3 - One way calls
If you are going to jump to a subroutine but never return, consider
calling the subroutine and popping the bytes off of the stack.
0000: call sub1
1000: pop dx - get rid of bytes for returning
1001: pop dx
0000: jmp sub1
1000: pop dx
A disassembler usually will think there is code after the call statement
and continue to scan.
4 - Ret used as jump
If you are going to call a subroutine, consider this:
1000: push 92F(address of sub)
1000: jmp 92F
Disassemblers will not find your sub at 92F. You may find this in packed files.
Approaches that disassemblers can not bypass:
5 - fake conditional jumps
Only one way will come out of the jump:
1000: cmp ax,ax
1002: je loc1
1000: jmp loc1
Disassemblers will have to assume that there is code on the other side of
the jump, and will have no way of differentiating because they do not yet
Note that on approaches 1,2, and 5, if you use a jump with rel 16
or rel 32, you will need to fix the distance of the jumps.
Note that on approaches 3 and 4, if you are using full segment
address, more will need to be pushed and popped.
These approaches can only be used if you program assembly language
or use c with assembly language. You may have to have a good grasp
of assembly language to understand these 5 concepts.
Good luck for your proctections!
You are deep inside Fravia's page of reverse engineering,
choose your way out:
Back to the programmer's corner
Is reverse engineering legal?