Table 10.1 Common Reversing Tools and Their Disassembler Architectures.
DISASSEMBLER/DEBUGGER NAME DISSASEMBLY METHOD
OllyDbg Recursive traversal
NuMega SoftICE Linear sweep
Microsoft WinDbg Linear sweep
IDA Pro Recursive traversal
PEBrowse Professional (including the Recursive traversal
interactive version)Linear Sweep Disassemblers
Let’s start experimenting with some simple sequences that confuse disassem-
blers. We’ll initially focus exclusively on linear sweep disassemblers, which
are easier to trick, and later proceed to more involved sequences that attempt
to confuse both types of disassemblers.
Consider for example the following inline assembler sequence:
_asm
{
Some code...
jmp After
_emit 0x0f
After:
mov eax, [SomeVariable]
push eax
call AFunction
}When loaded in OllyDbg, the preceding code sequence is perfectly readable,
because OllyDbg performs a recursive traversal on it. The 0Fbyte is not disas-
sembled, and the instructions that follow it are correctly disassembled. The fol-
lowing is OllyDbg’s output for the previous code sequence.
0040101D EB 01 JMP SHORT disasmtest.00401020
0040101F 0F DB 0F
00401020 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00401023 50 PUSH EAX
00401024 E8 D7FFFFFF CALL disasmtest.401000In contrast, when fed into NuMega SoftICE, the code sequence confuses its
disassembler somewhat, and outputs the following:
Antireversing Techniques 337