Search blog.co.uk

About me

tibbar

tibbar

Calendar

<<  <  October 2008  >  >>
Mo Tu We Th Fr Sa Su
    1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30 31    

Last comments

Code Perversion
by tibbar @ 2006-02-16 - 23:57:49

A little project of mine has been to write a complete code pervertor that would actually modify the opcodes of an executable, to perform equivalent operations but using different opcodes. This would be the ultimate method of "crypting" a file, since the executable in memory would still remain unique and undetected.

I therefore set about creating an engine that modifies the code with equivalent operations.

For instance,

mov EAX, 5;

is equivalent to:

push 5; pop EAX;

so I developed a library of equivalent operations for every x86 instruction commonly used. The engine will:

1) disassemble each instruction in a section of code;
2) select a random equivalent operation;
3) calculate extra space required to fit new equivalent operations and insert space in code;
4) assemble the equivalent operations.
5) scan entire code section looking for jmp's, jcc's, call's and adjusting the address they reference to allow for the extra space inserted in step 3.

Now, this actually has been done before. Zombie wrote code pervertor which could achieve this but only for instructions that have an equivalent instruction of equal size in bytes when assembled. I will be taking this to the next level.

The engine is currently mid-way through development and uses ollydbg's disassembler engine to perform the tedious task of disassembling each instruction.

While it's not complete, here's how it is working on a stub used in a program called Code Crypter that I wrote a while back.

the table view makes it easy to see how it is mutating each opcode. This was using a very limited library of equivalent opcodes for testing purposes.

The big problem at moment is handling things like JMP EAX. I have to use a little stub to adjust for code movement, which is not quite working yet.

The encrpytion process is recursive and pretty slow. It takes about 30 minutes to fully mutate a typical 100k executable. This is because each time it swaps an opcode for an equivalent sequence of opcodes, it must adjust all the JXX, JMP, CALL's in the code, for the padded space added by inserting the new code.

Hopefully I will get some time to work on this again soon.

Tibbar.

4 comments | Trackback (0) | Permalink | Recommend this post
Tags:

 
Disable ads
 

Trackback address for this post:

authimage

Comments, Trackbacks: Hide subcomments

gso [Visitor]

17/02/06 @ 00:15

I'm really wondering how you can fix that jump eax issue ..
you can't know eax if you don't before execute the prog ..

tibbartibbar [Member]
17/02/06 @ 00:27

It can be done, here's an snippet from my comments in the code

/*
CALL EAX or JMP EAX are absolute. This means we only need to adjust if
EAX greater than or equal to currentPos.

if EAX greater than or equal to currentPos AND EAX greater than or equal to searchPos then EAX += extraSpace + sizeofstubcodeinsertedhere
if EAX greater than or equal to currentPos AND EAX less than searchPos then EAX += extraSpace

i.e.

push EAX
sub EAX, currentpos
pop EAX
JNA noAdjust
push EAX
sub EAX, searchPos
pop EAX
JNA simpleAdjust
ADD EAX, extraSpace+stubsize
JMP noAdjust
simpleAdjust:
ADD EAX, extraSpace
noAdjust:
CALL EAX
*/

the difficulty occurs since you are doing this recursively 100's of times, and rather than insert this stub each time, I need to keep a counter of the extraSpace required...it's a long story im afraid.

| Show this thread
kju [Visitor]
http://about:blah
07/12/07 @ 15:15

this is wrong. you can use this for relative jump, not for absolute one. that is, you will never know (for sure) where register is pointing to.

|
ninar1 [Visitor]

24/02/06 @ 14:56

just waiting vor some more code snipped :D

is it a olly-script ?

Leave a comment :

Your email address will not be displayed on this site.
Your URL will be displayed.
Allowed XHTML tags: <!, p, ul, ol, li, dl, dt, dd, address, blockquote, ins, del, a, span, bdo, br, em, strong, dfn, code, samp, kdb, var, cite, abbr, acronym, q, sub, sup, tt, i, b, big, small, img>
URLs, email, AIM and ICQs will be converted automatically.
Options:
 
(Line breaks become <br />)
(Set cookies for name, email & url)
All comments on this blog will be moderated by the author.
Validation code:
Please enter the above code here:
For protection from spambots (case-sensitive).

Recent Posts

  1. Reflecting on better times
    by tibbar on 2008-07-21
  2. CodeCrypter 1 Year On
    by tibbar on 2006-12-26
  3. Hooking drivers
    by tibbar on 2006-12-22
  4. linux server framework
    by tibbar on 2006-10-19
  5. ReactOS
    by tibbar on 2006-07-15
  6. update
    by tibbar on 2006-06-18
  7. What comes next?
    by tibbar on 2006-04-11
  8. Kernel Mode Ircbot
    by tibbar on 2006-04-06
  9. codeCrypter next release plans
    by tibbar on 2006-03-31
  10. jotti scan
    by tibbar on 2006-03-23

Footer

The content of this website belongs to a private person, blog.co.uk is not responsible for the content of this website.