Fooling Disassemblers
(Protecting Applications Against Disassembly)
(The "non-conditional" conditional jump and other tricks)
USEFUL

by Snatch

(07 December 1997)

Courtesy of fravia's page of reverse engineering

Well, a minimum for protectionists' future scheme, I would say... 

Fooling Disassemblers(Protecting Applications Against Disassembly)
By Snatch


I have recently been working on a disassembler and have thought about 
the ways protectionists can fool them, pretty easily.  
Note that disassemblers do not have artificial intelligence :-)

Approaches that disassemblers may be able to bypass:

1 - Jump statements jumping onto themselves

Suppose you had a part of your code that was never called.  
You could put in an infinite loop:


0000: EB FF jmp 0000


same as
0000: F4    hlt


The disassembler may loop forever, whereas with hlt it would not.

2 - Fake jump statements

If the next statement you plan to use is an inc, dec, call, jmp, or a 
push and it begins with opcode FF.  Try this:


0000: EB FF jmp 0001
0002: ?? ?? 


same as
0000: 90    nop
0001: FF ?? inc,dec,call,jmp,push


This should confuse disassemblers.

3 - One way calls

If you are going to jump to a subroutine but never return, consider 
calling the subroutine and popping the bytes off of the stack.


0000: call sub1
...
1000: sub1
1000: pop dx - get rid of bytes for returning
1001: pop dx


same as
0000: jmp sub1
...
1000: sub1
1000: pop dx


A disassembler usually will think there is code after the call statement 
and continue to scan.

4 - Ret used as jump
If you are going to call a subroutine, consider this:


1000: push 92F(address of sub)
1003: ret


same as
1000: jmp 92F


Disassemblers will not find your sub at 92F.  You may find this in packed files.

Approaches that disassemblers can not bypass:

5 - fake conditional jumps

Only one way will come out of the jump:


1000: cmp ax,ax
1002: je loc1
...
1040: loc1:


same as
1000: jmp loc1
1040: loc1


Disassemblers will have to assume that there is code on the other side of 
the jump, and will have no way of differentiating because they do not yet 
have brains!

Summary:

Note that on approaches 1,2, and 5, if you use a jump with rel 16 
or rel 32, you will need to fix the distance of the jumps.
Note that on approaches 3 and 4, if you are using full segment 
address, more will need to be pushed and popped.
These approaches can only be used if you program assembly language 
or use c with assembly language.  You may have to have a good grasp 
of assembly language to understand these 5 concepts.  
Good luck for your proctections!

Snatch '97
(c) Snatch 1997. All rights reversed
You are deep inside fravia's page of reverse engineering, choose your way out:

USEFUL
Back to the programmer's corner
redhomepage redlinks redanonymity +ORC redstudents' essays redacademy database
redtools redprotectionist's corner
redcocktails redantismut CGI-scripts redsearch_forms redmail_fravia
redIs reverse engineering legal?