The purpose of execution flow obfuscation will be to add as many unnecessary jumps as possible, while retaining the original code functionality. Is there any way we can disturb its execution flow to make it both harder to read and harder to step through? There sure is! You can see the code is pretty straight forward and easy to navigate. That sample code will be used for demonstration purposes. If EAX = 8 the jump is not taken and RETN is executed.
Later it compares if the value of EAX = 8 and if not, jumps back to the beginning. After that it adds ECX to EAX and jumps to 00390015 if EAX = 0 (which is false). This simple code puts some values in EAX and ECX registers. Let's take a look at the following code: 00390000 B8 02000000 MOV EAX,2 These are commonly called branch instructions as they allow the code to branch out into multiple directions. Execution Flow DeceptionĮvery assembly code consists of calls and jumps separated by instructions that reside in the middle.
#Jmp assembly full#
I will fix it this episode as I explain methods of implementing full blown execution flow obfuscation by injecting dozens of jumps to make the code output unrecognizable. The obfuscated code output now, while being pretty well obfuscated, still is pretty easy to navigate as the execution flow is not changed. Last time, I've added obfuscation support for most common x86 instructions, which allowed to process the obfuscation output several times in order to get even better results. Hello and welcome back to the shellcode obfuscation series! If you've missed the previous episodes, take your time and catch up here:
0 kommentar(er)
