What does it mean when it says to align the stack after the code executes?

; peid_fake.asm
; MASM32 antiPeID example
; coded by ap0x
; Reversing Labs: *censored*

; PeID checks OEP for signatures. If the byte pattern at OEP matches some of
; the signatures stored in PeID.exe or userdb.txt PeID will identify target as
; packer or protector assigned to that signature. So we can insert any number
; of bytes at OEP and make PeID detect the wrong packer.


      .586
      .model flat, stdcall
      option casemap :none  ; case sensitive

      include \masm32\include\windows.inc
      include \masm32\include\user32.inc
      include \masm32\include\kernel32.inc
      include \masm32\include\comdlg32.inc
     
      includelib \masm32\lib\user32.lib
      includelib \masm32\lib\kernel32.lib
      includelib \masm32\lib\comdlg32.lib
     
    .data
      msgTitle db "Scan status:",0h
      msgText db "Fake signature ;)",0h
    .code

start:

; For example this is BJFNT`s  1.3 OEP

db 0EBh,03h,3Ah,4Dh,3Ah,1Eh,0EBh,02h,0CDh,20h,9Ch,0EBh,02h,0CDh,20h,0EBh,02h,0CDh,20h,60h

; After this code executes we just align the STACK and continue executing
; like no code was executed before MessageBox.

POPAD
POPFD
POP DS

PUSH 40h
PUSH offset msgTitle
PUSH offset msgText
PUSH 0
CALL MessageBox

PUSH 0
CALL ExitProcess

end start


f0dder edit: URL had questionable material, sorry
Posted on 2006-04-13 16:11:36 by skywalker
Heh, why mess with lame crap like that? Anyway, the code "aligns stack" itself (popad, popfd, pop ds).
Posted on 2006-04-13 16:29:08 by f0dder

Heh, why mess with lame crap like that? Anyway, the code "aligns stack" itself (popad, popfd, pop ds).



What would you suggest?
Posted on 2006-04-13 16:40:13 by skywalker
I would suggest not doing Anti-PEiD code and just accepting that whatever packer/protector you use will be detected. Hiding it is not going to buy you much, if anything, anyway.
Posted on 2006-04-13 16:55:43 by f0dder
Good try.

I like it keep up the good work dude.

Cleck out my tot how to hide yoda;s crtpter / others using hex

Peid will not pick it up

But keep up your programing is masm32

:)

Attachments:
Posted on 2006-04-17 20:54:12 by COREY
Thanks for the tutorial. Masm32 is hard but worth it.

Posted on 2006-04-17 21:56:33 by skywalker

Hiding it is not going to buy you much, if anything, anyway.


Stops the script kiddies from downloading an unpacker from the internet. Of course this poses no problem to somebody trying to unpack your program "by hand" - but there's little you can do about that anyway.
Posted on 2006-04-18 11:05:07 by QvasiModo
Thanks for reading it
i was happy to make it but some people say it was a wast of time...
But who cares it was fun doing it

Next tot will be

Reg for Masm32
Which will check a web page for a key on a file and the on they have on the computer if it dosent match it exits .etc


P.s

I also have left out in the tot

That when you go to protect a item while the exe you have changed every time if will give you the protected file which you have changed so dont keep doing it..

Posted on 2006-04-19 21:29:39 by COREY