I don't what assembler was used, but does someone know how to translate this to masm?

Thanks.

mov    eax,dword
Posted on 2009-10-18 18:53:22 by skywalker
That's NASM syntax.

In MASM I believe it should be...


mov eax, dword ptr
Posted on 2009-10-18 19:14:04 by SpooK
TASM, which is an ancient assembler, automatically guesses operand sizes based on the registers used. "mov eax," loads a 32-bit value into eax, so it's obvious that the pointer is a dword pointer (otherwise you would have to use movzx/movsx).

So your assembler should be able to properly assemble "mov eax, ".
Posted on 2009-10-18 20:30:40 by ti_mo_n

That's NASM syntax.

In MASM I believe it should be...


mov eax, dword ptr



Thanks, I got it fixed.


; anti5.asm
;
; One example of an anti-disassembly technique is to insert a garbage byte and then add a
; conditional branch which will transfer execution to the garbage byte; however, the condition
; for the conditional branch will always be FALSE. Thus,the garbage byte will never be executed
; but will trick disassemblers to start disassembling the garbage byte address, which eventually
; will lead to an incorrect disassembly output.

; Here is an example of the simple PEB.BeingDebugged flag check with some anti-disassembly
; code added. The highlighted lines are the main instructions, while the remaining are the anti-
; disassembly codes. It uses the garbage byte 0xff and adds fake conditional jump into the
; gage byte for disassemblers to follow:

.386
.MODEL FLAT, STDCALL
OPTION CASEMAP: NONE

    include \masm32\include\windows.inc
    include \masm32\include\user32.inc
    include \masm32\include\kernel32.inc
    include \masm32\include\advapi32.inc
    include \masm32\include\shlwapi.inc
    include \masm32\macros\macros.asm

    includelib  \masm32\lib\kernel32.lib
    includelib  \masm32\lib\user32.lib
    includelib  \masm32\lib\advapi32.lib
    includelib  \masm32\lib\shlwapi.lib

.DATA

msg_NotNT      BYTE    "Debugging has been detected !!", 0
AppName        BYTE    "AD", 0

.CODE

start:

ASSUME fs:NOTHING

    ;Anti-disassembly sequence #1
    push   
    stc
    jnc     
    retn
jmp_fake_01:
    db      0ffh     
jmp_real_01:
    ;--------------------------
  mov    eax,dword ptr
    ;Anti-disassembly sequence #2
    push   
    clc
    jc     
    retn
jmp_fake_02:
    db      0ffh
jmp_real_02:
    ;--------------------------
    mov    eax,dword ptr
    movzx  eax,byte ptr
    test    eax,eax
    jnz    Debugger_found
    invoke ExitProcess,0       

Debugger_found:

invoke  MessageBox, NULL, addr msg_NotNT, addr AppName, MB_OK

invoke ExitProcess,1

end start


Posted on 2009-10-18 22:02:41 by skywalker
you might also need to add

ASSUME FS:NOTHING

into the code, so masm doesn't get confused :)

does that code actually work though?

cos, the push would push the dword at that address, NOT the address itself...
Posted on 2009-10-19 02:14:17 by evlncrn8

you might also need to add

ASSUME FS:NOTHING

into the code, so masm doesn't get confused :)

does that code actually work though?

cos, the push would push the dword at that address, NOT the address itself...


My code already has the assume statement.

I removed the brackets and the code still works.
Not sure why it did worked also with the brackets.

Andy
Posted on 2009-10-19 07:51:27 by skywalker
sigh
Posted on 2009-10-19 08:15:21 by Homer

I removed the brackets and the code still works.
Not sure why it did worked also with the brackets.


Yeah, ambiguities are fun.
Posted on 2009-10-19 11:21:30 by SpooK
Should add more tricks? These are easy to beat.  ;)
Posted on 2009-10-20 09:42:40 by roticv

Should add more tricks? These are easy to beat.  ;)
Rather, should just avoid tricks like that, and either use a full-blown protection suite or nothing at all.
Posted on 2009-10-20 09:58:05 by f0dder
Yeah, the phrase "screen-door on a submarine" comes to mind.
Posted on 2009-10-20 11:49:59 by SpooK