![]() When a disassembler disassembles this (as x86), it’ll see EB FF as jmp 1, then C0, which isn’t a valid opcode, and finally 48 as dec eax. Use a series of bytes that will be executed more than once, as different instructions, depending where the PC lies. ![]() This is commonly used in shellcode to get an address of in-band data, since on x86 it’s the easiest way to get an address around the PC. ![]() Put two consecutive, but ‘opposite’ conditional branches, e.g. There are a variety of ways to trick a disassembler. The problem is that there can be contradictary or incompatible jumps. jump and don’t jump, disassemble from the target and from the next instruction). Often, for normal code, a disassembler can simply follow both (e.g. They also might stop disassembling after return instructions, so avoid showing instructions that are unreachable (and thus probably not code at all).īecause flow-oriented disassemblers follow branchesm and because conditional branches exist, the disassembler has to make a decision. Flow-oriented - These follow jumps and calls and continue disassembling from their target.Linear - Dissassembles all instructions in order, starting from some point (usually the entry point of a binary).More advanced disassemblers try to recognize things like functions (which may have multiples returns), idioms like jump tables, and not get tricked by anti-disassembly tricks. The simplest disassembler is super simple, but they can also be very complicated. This is just a small collection of notes about disassembly and anti-disassembly tricks, and how to get around them.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |