5.11. ISADETECTION
Disassembling from an incorrect start (x86)
Unlike ARM and MIPS (where any instruction has a length of 2 or 4 bytes), x86 instructions have variable
size, so any disassembler that starts in the middle of a x86 instruction may produce incorrect results.
As an example:
add [ebp-31F7Bh], cl
dec dword ptr [ecx-3277Bh]
dec dword ptr [ebp-2CF7Bh]
inc dword ptr [ebx-7A76F33Ch]
fdiv st(4), st
db 0FFh
dec dword ptr [ecx-21F7Bh]
dec dword ptr [ecx-22373h]
dec dword ptr [ecx-2276Bh]
dec dword ptr [ecx-22B63h]
dec dword ptr [ecx-22F4Bh]
dec dword ptr [ecx-23343h]
jmp dword ptr [esi-74h]
xchg eax, ebp
clc
std
db 0FFh
db 0FFh
mov word ptr [ebp-214h], cs ; <- disassembler finally found right track here
mov word ptr [ebp-238h], ds
mov word ptr [ebp-23Ch], es
mov word ptr [ebp-240h], fs
mov word ptr [ebp-244h], gs
pushf
pop dword ptr [ebp-210h]
mov eax, [ebp+4]
mov [ebp-218h], eax
lea eax, [ebp+4]
mov [ebp-20Ch], eax
mov dword ptr [ebp-2D0h], 10001h
mov eax, [eax-4]
mov [ebp-21Ch], eax
mov eax, [ebp+0Ch]
mov [ebp-320h], eax
mov eax, [ebp+10h]
mov [ebp-31Ch], eax
mov eax, [ebp+4]
mov [ebp-314h], eax
call ds:IsDebuggerPresent
mov edi, eax
lea eax, [ebp-328h]
push eax
call sub_407663
pop ecx
test eax, eax
jnz short loc_402D7BThere are incorrectly disassembled instructions at the beginning, but eventually the disassembler gets on
the right track.
How does random noise looks disassembled?
Common properties that can be spotted easily are:
- Unusually big instruction dispersion. The most frequent x86 instructions arePUSH,MOV,CALL, but
here we see instructions from all instruction groups:FPUinstructions,IN/OUTinstructions, rare and
system instructions, everything mixed up in one single place. - Big and random values, offsets and immediates.
- Jumps having incorrect offsets, often jumping in the middle of another instructions.