0040103F. 50 PUSH EAX
00401040 E8 BBFFFFFF CALL compiler.mainOlly is clearly ignoring the junk byte and using the conditional jump as a
marker to the real code starting position, which is why it is providing an accu-
rate listing. It is possible that Olly contains specific code for dealing with these
kinds of tricks. Regardless, at this point it becomes clear that you can take
advantage of Olly’s use of the jump’s target address to confuse it; if OllyDbg
uses conditional jumps to mark the beginning of valid code sequences, you
can just create a conditional jump that points to the beginning of the invalid
sequence. The following code snippet demonstrates this idea:
_asm
{
mov eax, 2
cmp eax, 3
je Junk
jne After
Junk:
_emit 0xf
After:
mov eax, [SomeVariable]
push eax
call AFunction
}This sequence is an improved implementation of the same approach. It is
more likely to confuse recursive traversal disassemblers because they will
have to randomly choose which of the two jumps to use as indicators of valid
code. The reason why this is not trivial is that both codes are “valid” from the
disassembler’s perspective. This is a theoretical problem: the disassembler has
no idea what constitutes valid code. The only measurement it has is whether it
finds invalid opcodes, in which case a clever disassembler should probably
consider the current starting address as invalid and look for an alternative one.
Let’s look at the listing Olly produces from the above code.
00401031. B8 02000000 MOV EAX,2
00401036. 83F8 03 CMP EAX,3
00401039. 74 02 JE SHORT compiler.0040103D
0040103B. 75 01 JNZ SHORT compiler.0040103E
0040103D > 0F8B 45F850E8 JPO E8910888
00401043? B9 FFFFFF68 MOV ECX,68FFFFFF
00401048? DC60 40 FSUB QWORD PTR DS:[EAX+40]
0040104B? 00E8 ADD AL,CH
0040104D? 0300 ADD EAX,DWORD PTR DS:[EAX]
0040104F? 0000 ADD BYTE PTR DS:[EAX],ALAntireversing Techniques 341