Jump to content
Usr6

ASM -Manual Metamorphic Obfuscation

By Usr6, in Programare

Recommended Posts

Usr6 Newbie

Usr6

Posted
Posted

There are 3 major Metamorphic techniques that are used in most Metamorphic/Polymorphic engines. Dead Code Injection, Register Usage Exchange (Register Renaming), and Equivalent Code Substitution. I will explain each of these techniques and give a simple example.

Dead Code Injection:

This technique is used by placing do-nothing instructions before, after, or in between regular code instructions. It is also known as "Junk Code" or "Garbage Code". Most will use the XOR, JMP, or NOP instruction for dead code injection. This example will place dead code before the call to a WinExec function:

xor ecx,ecx              ;Zero out the contents of the ecx register
mov eax,ecx              ;Move ecx into eax. Eax is now zero


push eax                 ;Regular instruction
push 01008748            ;Regular instruction
call WinExec             ;Regular instruction

As you can see, we used two dead instructions to get "push eax" instead of just using one "push eax" instruction. That extra code rearranges the opcodes within the file.

Register Usage Exchange (Register Renaming):

This technique is used by swapping registers and variables around within the file but still keeping the code functioning the same. The first set of instructions is the original code and the second is the renamed code:

pop edx                  ;Regular instruction
mov edi,004h             ;Regular instruction
mov esi,epb              ;Regular instruction
mov eax,000ch            ;Regular instruction
add edx,0088h            ;Regular instruction
mov ebx,[edx]            ;Regular instruction
mov [esi+eax*4+00001118],ebx     ;Regular instruction


pop eax                  ;Renamed instruction
mov ebx,004h             ;Renamed instruction
mov edx,epb              ;Renamed instruction
mov edi,000ch            ;Renamed instruction
add eax,0088h            ;Renamed instruction
mov esi,[eax]            ;Renamed instruction
mov [edx+edi*4+00001118],esi     ;Renamed instruction

And here we just swapped the instructions for others while keeping the code running as normal.

Equivalent Code Substitution:

This technique allows you to replace instructions with its equivalent instruction or an equivalent block of instructions. No real need to explain most of these since they are self-explanatory. But here are a few examples non the less:

mov eax,0                        ;Is equivalent to xor eax,eax

push eax                         ;Is equivalent to mov edx,eax
pop edx

lea eax, [eax+edx]               ;Is equivalent to add eax,edx

Sursa

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...