Can someone tell me some pros/contras why/when I should use self-modyfing code?
pros:
- compilers don't do it
- can reduce code size
- can speed execution
- obfuscates code
contras:
- can slow execution (dirty cache)
- obfuscates code
There is usually no reason to use SMC, but that doesn't mean it isn't fun to design/debug. :) Only use it to protect your programs from the naive, or if it truely simplifies the program.
- compilers don't do it
- can reduce code size
- can speed execution
- obfuscates code
contras:
- can slow execution (dirty cache)
- obfuscates code
There is usually no reason to use SMC, but that doesn't mean it isn't fun to design/debug. :) Only use it to protect your programs from the naive, or if it truely simplifies the program.
SMC can certainly be fun to play around with, and that can be reason enough to use it ;) - but for 'release' applications, I wouldn't do it unless it has a purpose. Like bitRAKE said, it can slow down execution, so you should take some care and time stuff...
I wrote a DLL, but I want it not to be 'detected' in RAM, so there can't be a 'fingerprint' or something from it. Which part should I make self-modifying, and modify with what?
I wrote a DLL, but I want it not to be 'detected' in RAM, so there can't be a 'fingerprint' or something from it. Which part should I make self-modifying, and modify with what?
just modify the mz/pe header then, a normal scan wont see it as a dll then, however doing do can also mean loadresource etc calls to get resources from the dll will also fail, as for a 'fingerprint' like it or lump it your code will have a fingerprint unless you really really put some work into it
You should use polymorphic code, a technique where the loader compiles the code differently each time it is run. Keep in mind there are many ways to accomplish the same thing. The following all do the same:
xor eax,eax
inc ecx
cdq
lea ecx,
and edx,0
mov eax,edx
sub eax,eax
sbb edx,edx
sbb ecx,-1
You might also want to vary the registers used when possible. Then free the loader when you're done, and there you go.
xor eax,eax
inc ecx
cdq
lea ecx,
and edx,0
mov eax,edx
sub eax,eax
sbb edx,edx
sbb ecx,-1
You might also want to vary the registers used when possible. Then free the loader when you're done, and there you go.
Thanks for the code, but what do you mean with loader?
so there can't be a 'fingerprint' or something from it.
... you're not doing anything viral, are you?
I think you should start off writing something simple instead :P This sort of thing is for experts who are very experienced.
i had often used self modifying code.. it doesn't slow down preformance though right, if you aren't modifying it much. i never use self modifying code inside inner loops (or even outter ones), but to set it up
i.e i have an unrolled loop.. but different times the procedure is called the loop needs to be called a different amount of times... so basically i self modify the jmp to jump into the unrolled "loop" at the right place..
other cases is a graphics operation that is applied to a whole image, but i modify certian things at the beginning (i.e the amount something is shifted or whatever (the immediate operands of the code), so as to not have to use another register, or read those from memory..
this sort of thing has more advantages than disadvantages right?
i.e i have an unrolled loop.. but different times the procedure is called the loop needs to be called a different amount of times... so basically i self modify the jmp to jump into the unrolled "loop" at the right place..
other cases is a graphics operation that is applied to a whole image, but i modify certian things at the beginning (i.e the amount something is shifted or whatever (the immediate operands of the code), so as to not have to use another register, or read those from memory..
this sort of thing has more advantages than disadvantages right?
Afternoon, flapper.
I suggest you supply us with your reason for wanting to use SMC, else this thread may suddenly dissappear.
Why do you "want it not to be 'detected' in RAM, so there can't be a 'fingerprint' or something from it." ??
Cheers,
Scronty
I suggest you supply us with your reason for wanting to use SMC, else this thread may suddenly dissappear.
Why do you "want it not to be 'detected' in RAM, so there can't be a 'fingerprint' or something from it." ??
Cheers,
Scronty
anotherreason i use self modify code is to combine different effects together and process in one swoop
for instance
lets say there are 10 different effects, that normally if the user wanted to use, they would cahin them together, and basically each effect would run in serial, reading from a memory buffer of the whole image, outputing to another, and so and so 10 times, moving alot of memory around each time
however if you can code in yhe inner loop comparing the different combinations of each other these things , it would make the inner loop slow when you the user wants a simple combination..
with using self modifying code (where you have certian rules, such as the count is never touched, and the ouput from each section of code is in EAX, or MM0 or whatever..
then at the beginning (which is some cases could be before the main program started, or other cases in the render procedure each frame, some code sees the particular combination the user is wanting of effects, and manually combined some code together and runs it.
for instance
lets say there are 10 different effects, that normally if the user wanted to use, they would cahin them together, and basically each effect would run in serial, reading from a memory buffer of the whole image, outputing to another, and so and so 10 times, moving alot of memory around each time
however if you can code in yhe inner loop comparing the different combinations of each other these things , it would make the inner loop slow when you the user wants a simple combination..
with using self modifying code (where you have certian rules, such as the count is never touched, and the ouput from each section of code is in EAX, or MM0 or whatever..
then at the beginning (which is some cases could be before the main program started, or other cases in the render procedure each frame, some code sees the particular combination the user is wanting of effects, and manually combined some code together and runs it.
Klumsy, that may not necessarily be faster... You end up getting really large loops, and a lot of 'register pressure'. Sometimes it is faster to process one part, write back to a buffer (in L1 cache), then process the next part. That way caching, branch prediction, register renaming, out-of-order execution etc work better.
another example of my out of touchness with modern processors.
Afternoon, flapper.
I suggest you supply us with your reason for wanting to use SMC, else this thread may suddenly dissappear.
Why do you "want it not to be 'detected' in RAM, so there can't be a 'fingerprint' or something from it." ??
Cheers,
Scronty
I don't want to go into any details, but it is not illegal ;)
So what would I modify?
It may not be illegal outright, but it is used in virus-coding techniques... hence why we ask your intent with the learned information since such things ARE ILLEGAL.
Yeah, self-modifying code is one thing and can certainly be useful, but trying to hide from fingerprints - why? I can only think of a _very_ few legitimate reasons for this, and I'd rather have that flapper mentions one of them than mentioning any myself...