3.17 Obfuscation
Very old keyboards used to do Shift just by toggling the 32 or 16 bit, depending on the
key; this is why the relationship between small and capital letters in ASCII is so regular, and
therelationshipbetweennumbersandsymbols,andsomepairsofsymbols, issortofregular
if you squint at it.( Eric S. Raymond,http://www.catb.org/esr/faqs/things-every-hacker-once-knew/)
Therefore, we can write this piece of code, which just flips the case of letters:
#include <stdio.h>
char flip (char c)
{
if((c>='a' && c<='z') || (c>='A' && c<='Z'))
return c^0x20;
else
return c;
}
int main()
{
// will produce "hELLO, WORLD!"
for (char s="Hello, world!"; s; s++)
printf ("%c", flip(*s));
};
3.16.4 Summary.
All these compiler optimizations are very popular nowadays and a practicing reverse engineer usually
sees such code patterns often.
3.17 Obfuscation
The obfuscation is an attempt to hide the code (or its meaning) from reverse engineers.
3.17.1 Text strings
As we saw in (5.4 on page 704), text strings may be really helpful.
Programmers who are aware of this try to hide them, making it impossible to find the string inIDAor any
hex editor.
Here is the simplest method.
This is how the string can be constructed:
mov byte ptr [ebx], 'h'
mov byte ptr [ebx+1], 'e'
mov byte ptr [ebx+2], 'l'
mov byte ptr [ebx+3], 'l'
mov byte ptr [ebx+4], 'o'
mov byte ptr [ebx+5], ' '
mov byte ptr [ebx+6], 'w'
mov byte ptr [ebx+7], 'o'
mov byte ptr [ebx+8], 'r'
mov byte ptr [ebx+9], 'l'
mov byte ptr [ebx+10], 'd'
The string can also be compared with another one like this: