Linux antidebug 3

Content: Now we will try to make disasm output very unclear. We make jump with eax register

Program 1

main:
    push lbl+1
    pop eax
    jmp eax
lbl:
    db 0xe8
    mov eax, 4
    mov ebx, 1
    mov ecx, msg1
    mov edx, msg1_size
    int 80h

    mov eax, 1
    mov ebx, 0
    int 80h

Output is same as source. Nothing changes
Disassembler output 1

? ....... ! main:                           ;xref o80482d7     
? ....... !   push        offset_804837d                  
? 8048379 !   pop         eax                       
? 804837a !   jmp         eax                        
? 804837c     db          0e8h                            
? 804837d !                                                   
? ....... ! offset_804837d:                 ;xref o8048374 
? ....... !   mov         eax, 4                       
? 8048382 !   mov         ebx, 1                   
? 8048387 !   mov         ecx, strz_I_am_running__8049568  
? 804838c !   mov         edx, 0eh           
? 8048391 !   int         80h              
? 8048393 !   mov         eax, 1             
? 8048398 !   mov         ebx, 0 
? 804839d !   int         80h

Here we add only one instruction. We get jump adress and add 1. Disasm cannot calculate adress of jmp.

Program 2

Like in first programm disasm think that we push correct adress and disasm it. And our byte 0xe9 is used for disasm output. That nice.

main:
    push lbl
    pop eax
    inc eax
    jmp eax
lbl:
    db 0xe9
    mov eax, 4
    mov ebx, 1
    mov ecx, msg1
    mov edx, msg1_size
    int 80h

    mov eax, 1
    mov ebx, 0
    int 80h

Disassembler output 2

? ....... ! main:                           ;xref o80482d7  
? ....... !   push        offset_804837d 
? 8048379 !   pop         eax           
? 804837a !   inc         eax    
? 804837b !   jmp         eax  
? 804837d !                      
? ....... ! offset_804837d:                 ;xref o8048374 
? ....... !   jmp         804883ah        
? 8048382     add         [ebx+1], bh    
? 8048388     mov         ecx, 8049568h   
? 804838d     mov         edx, 0eh  
? 8048392     int         80h     
? 8048394     mov         eax, 1  
? 8048399     mov         ebx, 0 
? 804839e     int         80h

Now we add nop instruction after every line of our code. It doesnt have any impact on program work.

Program 3

main:
    push lbl
    pop eax
    inc eax
    jmp eax
lbl:
    db 0xe9
    mov eax, 4
    nop
    mov ebx, 1
    nop
    mov ecx, msg1
    nop
    mov edx, msg1_size
    int 80h

    mov eax, 1
    mov ebx, 0
    jmp lbl2+1
lbl2:
    db 0xe9
    int 80h

Disasm output now is very nice. Output isnt very good. For first time when you view this output it is very unclear about what exactly is done by this code.

Disassembler output 3

? ....... ! main:                           ;xref o80482d7
? ....... !   push        offset_804837d  
? 8048379 !   pop         eax  
? 804837a !   inc         eax    
? 804837b !   jmp         eax 
? 804837d !               
? ....... ! offset_804837d:                 ;xref o8048374 
? ....... !   jmp         804883ah   
? 8048382     add         [eax+1bbh], dl
? 8048388     add         [eax+49578b9h], dl 
? 804838e     or          [eax+0ebah], dl    
? 8048394     add         ch, cl              
? 8048396     cmp         byte ptr [eax+1], 0bbh  
? 804839d     add         [eax], al  
? 804839f     add         [eax], al 
? 80483a1     jmp         80483a4h
? 80483a3     jmp         98950475h

Here is one more way how to make unclear jump to other place. We using function and inside function we change return address by 1.

Program 4

Thats also works fine. Disasm dont know real return address ans and use 0xe8 as he think is better.

main:
    call fun
    db 0xe8
    mov eax, 4
    mov ebx, 1
    mov ecx, msg1
    mov edx, msg1_size
    int 80h

    mov eax, 1
    mov ebx, 0
    int 80h

fun:
    pop ebp
    inc ebp
    push ebp
    ret

Disassembler output 4

? ....... ! main:                           ;xref o80482d7 
? ....... !   call        sub_804839c  
? 8048379 !   call        8048836h  
? 804837e !   add         [ebx+1], bh      
? 8048384 !   mov         ecx, strz_I_am_running__8049568
? 8048389 !   mov         edx, 0eh
? 804838e !   int         80h 
? 8048390 !   mov         eax, 1 
? 8048395 !   mov         ebx, 0
? 804839a !   int         80h 
? 804839c !                       
? ....... ! ;-----------------------    
? ....... ! ;  S U B R O U T I N E   
? ....... ! ;----------------------- 
? ....... ! sub_804839c:                    ;xref c8048374  
? ....... !   pop         ebp     
? 804839d !   inc         ebp     
? 804839e !   push        ebp 
? 804839f !   ret

Download

http://archive.main.lv/files/writeup/linux_antidebug_3/antidebug3.tar.gz