News:

Masm32 SDK description, downloads and other helpful links
Message to All Guests
NB: Posting URL's See here: Posted URL Change

Main Menu

Opaque Predicates

Started by Magnum, February 22, 2013, 01:03:13 PM

Previous topic - Next topic

Magnum


; Opaq_Pred.asm  "You worked hard writing code, nothing wrong with making THEM work a little harder."

; Opaque Predicates are false branches. The branch appears to be conditional but is not.
; Because of the way decompilers work, the fact that this is not really a conditional is not known.
;
; In a normal conditional jump, there are 2 ways the code can go. Because of this the decompiler must disassemble
; the code for both conditions. In an opaque predicate, we make the disassembler think that there are 2 ways the code
; can go, even though there is only one way it can go. The technique is to set up one of these unconditional
; jumps and insert junk code into the code path that will never be called and real code in the path that will always
; be called. This will force the decompiler to disassemble both paths even though one of them is junk code.

include \masm32\include\masm32rt.inc   

.CONST


.data
   
WaterMark   db  "SiegeWorks (c) 2013 ð__ð" ; Alt 240 char
Series      db  "1a"
%Date       db  " &@Date " ; Compile date
%time       db  " &@Time"
%version    db  " Masm Version &@Version"

.data?

.code


start:

mov eax,2
xor ecx,ecx
;------------------------------------------------------------------
; Insert more non-functional code here to make things more confusing
;------------------------------------------------------------------

cmp eax,3

je Opaque_Predicate

jne gut ; will always jump here

; This is never reached
;
Opaque_Predicate:

false db "now is the time." ; Compiler does it's best here :-)

gut:

; REAL CODE STARTS HERE
;

invoke ExitProcess,0

end     start

Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

dedndave


Magnum

Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

Tedd

Not sure what you're hoping this will achieve - add a few microseconds to the disassembly time? Insert extra code that will never be stepped through anyway?

If you want to screw up a disassembly, insert false opcode prefixes in the bytes before a jump target (0Fh, ...) - a flat disassembly will eat the next few bytes and the jumps will appear to land in the middle of instructions.
But the disassembly will resync again within the next few instructions; and a smart disassembler will use the targets of jumps to resync anyway.
Potato2

Magnum

Not sure what you mean.

Can you give an example ?

Andy



First:
xor ax,ax
mov es,ax
mov esi,eax

xor eax,eax
   mov ecx,3
   ;   rep inc eax

;db F3 40h

db 0fh

jmp next

db 66h ; inc AX ??

nop
nop
; -------------------------------------------------------------------------

; FAULT ->00401005 0f6838 punpckhbw mm7,qword ptr [eax] ds:0023:00000001=????????????????

;db 0F3h

; -------------------------------------------------------------------------

;db 40h

next:

;db 0fh ; This causes an access violation

fn MessageBox,0,str$(eax),"Title",MB_OK

Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

Magnum

Quote from: Tedd on February 23, 2013, 02:23:28 AM
Not sure what you're hoping this will achieve - add a few microseconds to the disassembly time? Insert extra code that will never be stepped through anyway?

If you want to screw up a disassembly, insert false opcode prefixes in the bytes before a jump target (0Fh, ...) - a flat disassembly will eat the next few bytes and the jumps will appear to land in the middle of instructions.
But the disassembly will resync again within the next few instructions; and a smart disassembler will use the targets of jumps to resync anyway.

No reply to my question ??

Popup and criticize and disappear with the wind.

Consider this, what I post is miniscule - very small; "a minuscule kitchen"; "a minuscule amount of rain fell"

You may not be as smart as you think you are, and OTHERS are not as dumb as you think they are.

I still have respect for you and highly value your knowledge.

Best regards,

Drew
Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

japheth

Quote from: Magnum on February 23, 2013, 07:01:22 PM
No reply to my question ??

Popup and criticize and disappear with the wind.

Actually, Tedd was the first to ask a question - which you did decide to ignore.  But without knowing what you want to achieve, this discussion is somewhat void.

example for using 0F prefix to confuse disassembler:


mov ax,1
cmp ax,2
jnz @F
db 0Fh
@@:
inc ax

Tedd

Quote from: Magnum on February 23, 2013, 07:01:22 PM
No reply to my question ??

Popup and criticize and disappear with the wind.
You didn't even wait 24 hours for a reply and now you're shooting your mouth off? Wow.

I was going to post an example with a proper explanation and opcodes.. suddenly I have better things to do.
Potato2

Magnum

Quote from: japheth on February 24, 2013, 04:03:52 AM
Quote from: Magnum on February 23, 2013, 07:01:22 PM
No reply to my question ??

Popup and criticize and disappear with the wind.

Actually, Tedd was the first to ask a question - which you did decide to ignore.  But without knowing what you want to achieve, this discussion is somewhat void.

example for using 0F prefix to confuse disassembler:


mov ax,1
cmp ax,2
jnz @F
db 0Fh
@@:
inc ax


Thanks.

Tedd's question was an open criticism as he has done many times before.

I overreacted, I should have ignored the post.

I don't know, maybe I should accept help even if it's grudgingly given.

I want things peaceful.

Andy

Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

MichaelW

Quote from: Magnum on February 24, 2013, 11:16:51 AM
Tedd's question was an open criticism as he has done many times before.

I overreacted, I should have ignored the post.

I don't know, maybe I should accept help even if it's grudgingly given.

So you do recognize that Tedd's criticism was help.
Well Microsoft, here's another nice mess you've gotten us into.