001B:0040101D JMP 00401020
001B:0040101F JNP E8910C6A
001B:00401025 XLAT
001B:00401026 INVALID
001B:00401028 JMP FAR [EAX-24]
001B:0040102B PUSHAD
001B:0040102C INC EAXAs you can see, SoftICE’s linear sweep disassembler is completely baffled
by our junk byte, even though it is skipped over by the unconditional jump.
Stepping over the unconditional JMPat 0040101Dsets EIPto 401020 , which
SoftICE uses as a hint for where to begin disassembly. This produces the fol-
lowing listing, which is of course far better:001B:0040101D JMP 00401020
001B:0040101F JNP E8910C6A
001B:00401020 MOV EAX,[EBP-04]
001B:00401023 PUSH EAX
001B:00401024 CALL 00401000This listing is generally correct, but SoftICE is still confused by our 0Fbyte
and is showing a JNPinstruction in 40101F, which is where our 0Fbyte is at.
This is inconsistent because JNPis a long instruction (it should be 6 bytes), and
yet SoftICE is showing the correct MOVinstruction right after it, at 401020 , as
though the JNPis 1 byte long! This almost looks like a disassembler bug, but it
hardly matters considering that the real instructions starting at 401020 are all
deciphered correctly.Recursive Traversal Disassemblers
The preceding technique can be somewhat effective in annoying and confus-
ing reversers, but it is not entirely effective because it doesn’t fool more clever
disassemblers such as IDA pro or even smart debuggers such as OllyDbg.
Let’s proceed to examine techniques that would also fool recursive traversal
disassemblers. When you consider a recursive traversal disassembler, you can
see that in order to confuse it into incorrectly disassembling data you’ll need to
feed it an opaque predicate. Opaque predicates are essentially false branches,
where the branch appears to be conditional, but is essentially unconditional. As
with any branch, the code is split into two paths. One code path leads to real
code, and the other to junk. Figure 10.1 illustrates this concept where the con-
dition is never true. Figure 10.2 illustrates the reverse condition, in which the
condition is always true.338 Chapter 10