CHAPTER 49. INCORRECTLY DISASSEMBLED CODE CHAPTER 49. INCORRECTLY DISASSEMBLED CODE
call sub_407663
pop ecx
test eax, eax
jnz short loc_402D7BThere are incorrectly disassembled instructions at the beginning, but eventually the disassembler gets on the right track.
49.2 How does random noise looks disassembled?
Common properties that can be spotted easily are:
- Unusually big instruction dispersion. The most frequent x86 instructions arePUSH,MOV,CALL, but here we see
instructions from all instruction groups:FPUinstructions,IN/OUTinstructions, rare and system instructions, everything
mixed up in one single place. - Big and random values, offsets and immediates.
- Jumps having incorrect offsets, often jumping in the middle of another instructions.
Listing 49.1: random noise (x86)
mov bl, 0Ch
mov ecx, 0D38558Dh
mov eax, ds:2C869A86h
db 67h
mov dl, 0CCh
insb
movsb
push eax
xor [edx-53h], ah
fcom qword ptr [edi-45A0EF72h]
pop esp
pop ss
in eax, dx
dec ebx
push esp
lds esp, [esi-41h]
retf
rcl dword ptr [eax], cl
mov cl, 9Ch
mov ch, 0DFh
push cs
insb
mov esi, 0D9C65E4Dh
imul ebp, [ecx], 66h
pushf
sal dword ptr [ebp-64h], cl
sub eax, 0AC433D64h
out 8Ch, eax
pop ss
sbb [eax], ebx
aas
xchg cl, [ebx+ebx*4+14B31Eh]
jecxz short near ptr loc_58+1
xor al, 0C6h
inc edx
db 36h
pusha
stosb
test [ebx], ebx
sub al, 0D3h ; 'L'
pop eax
stosbloc_58: ; CODE XREF: seg000:0000004A
test [esi], eax
inc ebp
das
db 64h