Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > General Forum
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 09-05-2010, 04:03 AM
lnuxxunl lnuxxunl is offline
Junior Member
 
Join Date: Sep 2010
Posts: 4
Default Binary Code Obfuscation

Hiii

Guys You Know that you can replace some instruction with another instruction with same function example:'


Retn = POP EAX
JMP EAX

My question is:

Retn instruction take space of memory but the instruction POP & JMP take bigger size of memory


so I tried to re[lace some instruction but that cause the instuction
under the one i want to replace is just disappeard

what is the right method to replace the instruction
Reply With Quote
  #2  
Old 09-05-2010, 07:04 AM
Git Git is offline
Super Moderator
 
Join Date: Oct 2007
Location: Torino
Posts: 1,797
Default

Two choices :

1) Be smart and find a way of replacing a block of code with smaller code that does the same thing. For example, if there is a jump, can you replace it with a 'short' jump ?.

2) If you have room for a CALL or a JMP, then you can find a "cave" in the program ( a space where there is no information) and add a subroutine there. Don't forget the relocations if there are any. Utilities exist that will find a cave, add the code and do the fixups automatically for you.

Git
Reply With Quote
  #3  
Old 09-05-2010, 10:58 AM
lnuxxunl lnuxxunl is offline
Junior Member
 
Join Date: Sep 2010
Posts: 4
Default

THank you

Useful informations.

wuold you explain more about block replacing with
example ?

I appreciate your help
Reply With Quote
  #4  
Old 09-05-2010, 02:02 PM
Git Git is offline
Super Moderator
 
Join Date: Oct 2007
Location: Torino
Posts: 1,797
Default

Hope I've got the numbers right, but the idea should be clear anyway. Look at these two code snippets :

Code:
00015F1D 0F 84 03 00 00 00                    jz  @@1
00015F23 xx xx xx                             'old code'
00015F26                      @@1             ...



00015F1D 74 07                                jz short @@1
00015F1F yy yy yy yy                          'your code'
00015F23 xx xx xx                             'old code'
00015F26                      @@1             ...
The first uses a normal jump as may be in the code you want to change. The lower one has changed that to a 'short' jump. In doing so, it has saved 4 bytes in which you can now add a 4 byte instruction, two 2 byte instructions or a 3 byte instruction and a NOP. If the jump is made both sets of code function identically. If the jump is not made then the edited code has 4 extra bytes filleed with your new code 'yy yy yy yy'

If you wanted to add 4 bytes of code that are always obeyed you could rearange it like this :

Code:
00015F1D yy yy yy yy                          'your code'
00015F21 74 03                                jz short @@1
00015F23 xx xx xx                             'old code'
00015F26                      @@1             ...
Git

Last edited by Git : 09-05-2010 at 02:11 PM.
Reply With Quote
  #5  
Old 09-05-2010, 02:29 PM
lnuxxunl lnuxxunl is offline
Junior Member
 
Join Date: Sep 2010
Posts: 4
Default

[Please DO NOT quote whole messages, it is a complete waste of time and space]


Thank you Very Much

The Idea is Clear to me now

I Hope I Don't bother you

the last thing I need is the instructions and it's equevlants
would you recommend one to me
Thank you

Last edited by Git : 09-05-2010 at 04:57 PM.
Reply With Quote
  #6  
Old 09-05-2010, 05:02 PM
Git Git is offline
Super Moderator
 
Join Date: Oct 2007
Location: Torino
Posts: 1,797
Default

Work it out for yourself. You need to read "Intel® 64 and IA-32 Architectures Software Developer's Manual" which you can download from Intel. Last time I looked it was in 5 parts :

Optimization Reference Manual.pdf
Volume 1- Basic Architecture.pdf
Volume 2A- Instruction Set Reference- A-M.pdf
Volume 2B- Instruction Set Reference- N-Z.pdf
Volume 3A- System Programming Guide.pdf
Volume 3B- System Programming Guide.pdf

Volume 2 is the most important.

Git
Reply With Quote
  #7  
Old 09-06-2010, 04:20 AM
lnuxxunl lnuxxunl is offline
Junior Member
 
Join Date: Sep 2010
Posts: 4
Default

Thank you Very much

I have a Clear start point now

Thank you again
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.