004010C2 cmp ebp,3
004010C5 ja 004010E8
004010C7 add ecx,14h
004010CA jmp 004010A3
004010CC mov ebx,edi
004010CE sub ecx,14h
004010D1 jmp 004010A3
004010D3 sub ebp,4
004010D6 sub ecx,4
004010D9 jmp 004010A3
004010DB mov esi,dword ptr [esp+44h]
004010DF xor dword ptr [edx],esi
004010E1 sub ecx,10h
004010E4 jmp 004010A3
004010E6 xor eax,edi
004010E8 add ecx,10h
004010EB jmp 004010A3
004010ED add edx,4
004010F0 sub ecx,18h
004010F3 jmp 004010A3
004010F5 pop edi
004010F6 pop esi
004010F7 pop ebp
004010F8 pop ebx
004010F9 add esp,28h
004010FC retThe function’s jump table:
0x00401100 004010c2 004010bb 004010db 004010b4
0x00401110 004010cc 004010e6 004010ed 004010d3
0x00401120 004010f5Listing 10.4 (continued)The function in Listing 10.4 is an enhanced version of the function from List-
ing 10.3. Instead of using direct indexes into the jump table, this implementa-
tion uses an additional table that is filled in runtime. This table contains the
actual jump table indexes, and the index into that table is handled by the pro-
gram in order to obtain the correct flow of the code. This enhancement makes
this function significantly more unreadable to human reversers, and would
also seriously complicate matters for a deobfuscator because it would require
some serious data-flow analysis to determine the current value of the index to
the array.
The original implementation in [Wang] is more focused on preventing static
analysis of the code by deobfuscators. The approach chosen in that study is to
use pointer aliases as a means of confusing automated deobfuscators. Pointer
aliases are simply multiple pointers that point to the same memory location.
Aliases significantly complicate any kind of data-flow analysis process352 Chapter 10