5.12 Text strings right in the middle of compressed data.
LDR R1, [R3,#0x3C]
STR R1, [R5,#0x60]
BCC 0xFFFFFF70
LDR R4, [SP,#0x1D4]
STR R5, [R5,#0x40]
ORRS R5, R7loc_3C ; DATA XREF: ROM:00000006
B 0xFFFFFF98
Listing 5.11: random noise (MIPS little endian)
lw $t9, 0xCB3($t5)
sb $t5, 0x3855($t0)
sltiu $a2, $a0, -0x657A
ldr $t4, -0x4D99($a2)
daddi $s0, $s1, 0x50A4
lw $s7, -0x2353($s4)
bgtzl $a1, 0x17C5C.byte 0x17
.byte 0xED
.byte 0x4B # K
.byte 0x54 # Tlwc2 $31, 0x66C5($sp)
lwu $s1, 0x10D3($a1)
ldr $t6, -0x204B($zero)
lwc1 $f30, 0x4DBE($s2)
daddiu $t1, $s1, 0x6BD9
lwu $s5, -0x2C64($v1)
cop0 0x13D642D
bne $gp, $t4, 0xFFFF9EF0
lh $ra, 0x1819($s1)
sdl $fp, -0x6474($t8)
jal 0x78C0050
ori $v0, $s2, 0xC634
blez $gp, 0xFFFEA9D4
swl $t8, -0x2CD4($s2)
sltiu $a1, $k0, 0x685
sdc1 $f15, 0x5964($at)
sw $s0, -0x19A6($a1)
sltiu $t6, $a3, -0x66AD
lb $t7, -0x4F6($t3)
sd $fp, 0x4B02($a1)It is also important to keep in mind that cleverly constructed unpacking and decryption code (including
self-modifying) may looks like noise as well, but still execute correctly.
5.11.2 Correctly disassembled code
EachISAhas a dozen of a most used instructions, all the rest are used much less often.
As of x86, it is interesting to know that the fact that function calls (PUSH/CALL/ADD) andMOVinstructions
are the most frequently executed pieces of code in almost all programs we use. In other words,CPUis
very busy passing information between levels of abstractions, or, it can be said, it’s very busy switching
between these levels. Regardless type ofISA. This is a cost of splitting problems into several levels of
abstractions (so humans could work with them easier).
5.12 Text strings right in the middle of compressed data
You can download Linux kernels and find English words right in the middle of compressed data:
% wget https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.10.2.tar.gz