Category:Digital-Forensics/Computer-Forensics/Anti-Reverse-Engineering/Anti-Disassembly/Impossible-Disassembly
Jump to navigation
Jump to search
| You are here | Impossible Disassembly
|
Description
Impossible patching occurs when rogue bytes (0xFF in the below example) appearing in the middle of the instructions are part of the code itself. In this situation, it becomes less obvious to redefine the types (e.g. CODE, DATA, ...) in IDA-Pro and you will also need to patch bytes with NOP's to help IDA-Pro to keep the code's logic.
┌───────┐
▼ │
JMP - 1 │
┌────┬────┬────┬────┐
│ EB │ FF │ C0 │ 48 │
└────┴────┴────┴────┘
¦ INC EAX ¦ DEC EAX
Code modifications
Suppose you have the following byte code:
┌─────────────────────────────┐
▼ ¦ XOR eax,¦ ¦ ¦
MOV ax, 05EBh ¦ eax ¦ JZ - 7 ¦ Fake CALL ¦
┌────┬────┬────┬────┬────┬────┬────┬────┬────┬────┬────┬────┬────┐
│ 66 │ B8 │ EB │ 05 │ 31 │ C0 │ 74 │ F9 │ E8 │ 58 │ C3 │ 90 │ 90 │
└────┴────┴────┴────┴────┴────┴────┴────┴────┴────┴────┴────┴────┘
¦ JMP 5 ¦ ¦ Real Code
¦ ¦ ▲
└────────────────────────┘
Below is the initial interpretation in IDA-Pro:
66 B8 EB 05 mov ax, 5EBh
31 C0 xor eax, eax
74 F9 jz short near ptr sub_4011C0+1
loc_4011C8:
E8 58 C3 90 90 call near ptr 98A8D525h
You could modify the above code as follows:
66 byte_4011C0 db 66h
B8 db 08h
EB db 0EBh
05 db 5
; -----------------------------------------------
31 C0 xor eax, eax
; -----------------------------------------------
74 db 74h
F9 db 0F9h
E8 db 0E8h
; -----------------------------------------------
58 pop eax
C3 retn
And then patch all bytes that have been converted to data so that the code finally becomes:
90 nop
90 nop
90 nop
90 nop
31 C0 xor eax, eax
90 nop
90 nop
90 nop
58 pop eax
C3 retn
This category currently contains no pages or media.