An example of what I explained above (FASM syntax because it is easier for stuff like this, imho):
    call check_CC

; obfuscated this conditional jump using flags and known register values
je Bad_Thing_TM

Good_Thing_TM:
nop


Bad_Thing_TM:
; should try to hide this to prevent RE'ing backwards
jmp ExitProcess


; integrate this into depack routine
check_CC:
pushd CC_Magic
mov eax, 0CCh
mov edi, DepakChopra
mov ecx, DeepPack - DepakChopra
jmp esp

; the below code is executed on the stack...

virtual at 0
repne
scas byte [edi]
pop ebx
retn
load CC_Magic dword from 0
end virtual


DepakChopra:
repeat 73
db %
end repeat
DeepPack:
Another twisty thing to do is use XLATB and point EBX at the depack code - requiring the code to be intact during depacking. We can create such a convoluted mass of code that it will take an expert ASM programmer a couple of hours. ;)
Posted on 2004-02-06 07:23:22 by bitRAKE
I try to see if i can play with this code to get it to work :)

however what is
db %
alternative for in masm32? is it db ?


also this may be a bit off topic but i made my own lil code macro and if i execute it more then 1 time it messes up my code 0.0 and I dont know why maybe sum 1 will figure it out here it is:



trick_jump macro
jmp $+3 ; Jump past the next jmp instruction and execute the nop instruction
jmp $+90 ; Fake jump, followed by nop the nop command we will execute :)
db 0EBh,001h ; jmp $+1 fixes it so we are back into correct alignment with code flow
endm
Posted on 2004-02-06 15:20:15 by DevSpartacus
is check_bpx_point a local var on the stack? if not then since your injecting this code its offset will be different depending on where the code is and so should be accessed using the delta offset.
mov edi, OFFSET check_bpx_point

add edi ebx
mov DWORD PTR [edi], 0

It is possible you have not been using the real check_bpx_point but infact some arbitary location in the host application.
Posted on 2004-02-06 20:53:01 by ENF

however what is
db %
alternative for in masm32? is it db ?
It is just the number of the REPEAT loop. I just used it as a place holder.
Posted on 2004-02-07 08:41:35 by bitRAKE