part 1 -- conditional execution w/o jxx
---------------------------------------
Lets consider some C-to-asm transformations.
Lets assume a is eax, b is ebx, c is ecx, d is edx,
and "condition" is a result of some binary comparison, i.e. single bit, 0 or 1.
example 1
---------
First, we want to know how the following thing looks in assembly:
example 2
---------
lets taste it in more real situation:
example 4
---------
absolute value, abs() function:
example 5
---------
some code in C:
all these macros should generate different code,
and uncommented macros should generate code w/o jmps.
part 2 -- generating code
-------------------------
In some situations, complex polymorphic decryptors
are detected using set-of-instructions technique.
This technique can be defined as the following:
example 7
---------
As you can see, such constructions (ex.6/7) will allow you to
produce code where
1. overall instruction statistics is very close to standard statistics
2. full and correct emulation is required to determine real
set of used instructions.
axiom: if some algorithm will analyze each conditional jmp,
choosing only one of the variants of the execution flow
(where only some defined set of instructions is used),
it will result in false alarms.
However, here should be noted: statistical and more sophisticated
detection algorithms are used only when all other more simple ways are impossible.
The only way to write near-to-undetectable code is to constantly
check detection algorithms and fix all the bugs which resulted in detecti
---------------------------------------
Lets consider some C-to-asm transformations.
Lets assume a is eax, b is ebx, c is ecx, d is edx,
and "condition" is a result of some binary comparison, i.e. single bit, 0 or 1.
example 1
---------
First, we want to know how the following thing looks in assembly:
example 2
---------
lets taste it in more real situation:
example 4
---------
absolute value, abs() function:
example 5
---------
some code in C:
all these macros should generate different code,
and uncommented macros should generate code w/o jmps.
part 2 -- generating code
-------------------------
In some situations, complex polymorphic decryptors
are detected using set-of-instructions technique.
This technique can be defined as the following:
example 7
---------
As you can see, such constructions (ex.6/7) will allow you to
produce code where
1. overall instruction statistics is very close to standard statistics
2. full and correct emulation is required to determine real
set of used instructions.
axiom: if some algorithm will analyze each conditional jmp,
choosing only one of the variants of the execution flow
(where only some defined set of instructions is used),
it will result in false alarms.
However, here should be noted: statistical and more sophisticated
detection algorithms are used only when all other more simple ways are impossible.
The only way to write near-to-undetectable code is to constantly
check detection algorithms and fix all the bugs which resulted in detecti
