At one time, Hutch/Steve had code to obfuscate embedded data, making it harder to reverse engineer.
I ran through the current distribution of MASM, and could not find it.
1. Ok, point to it, in the current distribution of MASM.
- OR -
2. Attach the code to here, from older distribution or older post.
Thanks In Advance, Michael, aka P1
Something like this?include \masm32\include\masm32rt.inc
.code
start:
call @F
@obs$ dd 0BB11E534h,0BB3F9751h,0DE51FE36h,0B034DE53h,0C346BB25h,0A6349B4Ah,0D214E92Fh,0B6668847h,09612E167h,0F17C880Ch,09011A820h,
0F165C944h,0D101AC20h,0B564CE4Dh,0D044AB39h,0B127D84Ch,0D745B76Ch,0B8319709h,0DC5EF429h,0B83F9C09h,0DD49F97Dh,
08E66911Eh,0FA13D93Eh,0D676B457h,0A256D139h,0CD76A578h
@@: pop edx
mov ecx, sizeof @obs$/4
.Repeat
mov eax, [edx]
xor eax, [edx-4]
add edx, 4
push eax
dec ecx
.Until Zero?
inkey esp
add esp, sizeof @obs$
exit
end start
Quote from: jj2007 on September 08, 2017, 07:00:22 AM
Something like this?include \masm32\include\masm32rt.inc
.code
start:
call @F
@obs$ dd 0BB11E534h,0BB3F9751h,0DE51FE36h,0B034DE53h,0C346BB25h,0A6349B4Ah,0D214E92Fh,0B6668847h,09612E167h,0F17C880Ch,09011A820h,
0F165C944h,0D101AC20h,0B564CE4Dh,0D044AB39h,0B127D84Ch,0D745B76Ch,0B8319709h,0DC5EF429h,0B83F9C09h,0DD49F97Dh,
08E66911Eh,0FA13D93Eh,0D676B457h,0A256D139h,0CD76A578h
@@: pop edx
mov ecx, sizeof @obs$/4
.Repeat
mov eax, [edx]
xor eax, [edx-4]
add edx, 4
push eax
dec ecx
.Until Zero?
inkey esp
add esp, sizeof @obs$
exit
end start
It was two parts, one part encoded the data to be embedded/Cut-N-Pasted into asm file. The other was the decode proc to return the data unencoded. I just do not want the clear text to be visible in a utility like ProcExp. What I remember was it was fairly sophisticated, but not impossible to decode.
You help me to remember, in QEditor, under Code, is "Create Mangle Text".
You get the RBI for this one. :t
Best Regards, Michael, aka P1
For my version, see Obscure a string (http://masm32.com/board/index.php?topic=94.msg30979#msg30979). Olly has a rough time with this sort of things, but it can't be perfect. When you step through the code, after a while the string starts showing in Olly ;)
Michael,
The link in QE is to an exe called "mangle.exe" which is in the MASM32 directory. There is nothing that you cannot break if you take long enough but the separation of the data and the code will add enough grief to the life of the hacker to slow up most of them. :P
I should have added, there is a trick to make life even more miserable for the would be hacker, as soon as you have decrypted and used the string, overwrite it with garbage which narrows the window to view the text. The main PHUN with the original technique is to make the binary very hard to modify as it involves changing both code and data.
Here is a variant, just for fun (with some checks):include \masm32\include\masm32rt.inc
.code
start:
mov esi, 12345678h ; for later verification
print hex$(esp), 9, "stack", 13, 10
; --------- the fun starts here ----------------
push esi
push sizeof @obs$/4 ; note the reversed order: pop esi, then pop ecx!
call @F
@obs$ dd 0BB11E534h,0BB3F9751h,0DE51FE36h,0B034DE53h,0C346BB25h,0A6349B4Ah,0D214E92Fh,0B6668847h,09612E167h,0F17C880Ch,09011A820h,
0F165C944h,0D101AC20h,0B564CE4Dh,0D044AB39h,0B127D84Ch,0D745B76Ch,0B8319709h,0DC5EF429h,0B83F9C09h,0DD49F97Dh,
08E66911Eh,0FA13D93Eh,0D676B457h,0A256D139h,0CD76A578h
@@: pop esi
pop ecx
.Repeat
xchg eax, edx
lodsd
push eax
xor [esp], edx
dec ecx
.Until Zero?
; --------- ready to use the string ----------------
print esp, 13, 10
add esp, sizeof @obs$ ; cleanup
pop esi ; restore esi
print hex$(esp), 9, "stack", 13, 10 ; check if everything
inkey hex$(esi), 9, "esi", 13, 10 ; is in the right places
exit
end start
Output:0018FF88 stack
At one time, Hutch/Steve had code to obfuscate embedded data, making it harder to reverse engineer.
0018FF88 stack
12345678 esi
And here is a small excerpt of what Olly "sees":00401024 . 56 push esi ; ÚArg2
00401025 . 6A 1A push 1A ; ³Arg1 = 1A
00401027 . E8 68000000 call 00401094 ; ÀObfuscateString.00401094
0040102C . 34 E5 xor al, E5
0040102E . 11BB 51973FBB adc [ebx+BB3F9751], edi
00401034 36 db 36 ; char '6'
00401035 FE db FE ; char 'þ'
00401036 51 db 51 ; char 'Q'
00401037 DE db DE ; char 'Þ'
00401038 53 db 53 ; char 'S'
00401039 DE db DE ; char 'Þ'
0040103A 34 db 34 ; char '4'
0040103B B0 db B0
0040103C 25 db 25 ; char '%'
0040103D BB db BB
0040103E Ú. 46 inc esi
0040103F À. C3 retn
When you step over call 00401094 using F8, the string is already printed, and there is no way to go back :P
Project attached, the exe has an int 3 just before the push esi.