问题
I try to understand an example form the book "Practical Malware Analysis" by Michael Sikorski. There is an example on anti disassembly techniques that i don't comprehend. It says that a common technique is to create two conditional instructions namely jump if zero (JZ) and jump if not zero (JNZ) which considered together are actually just one unconditional instruction (this is clear to me). Here are the graphics of the two possible results created by the disassembler.
The following quote refers to the figure 1:
In this example, the instruction immediately following the two conditional jump instructions appears to be a call instruction at (call), beginning with the byte 0xE8. This is not the case, however, as both conditional jump instructions actually point 1 byte beyond the 0xE8 byte
What is that supposed to mean and why is the jump location loc_4011C4+1 (where comes the +1 from)? and in Figure 2 it's loc_4011C5? Can someone provide a more detailed explanation?
回答1:
The result of assembly code compilation is a piece of native code, more specifically a sequence of bytes, where different parts of this sequence correspond to instructions from the original assembly. Intel x86 processors have a so-called CISC instruction set, which basically means that instruction length in bytes can vary from 1 to some 12, and that's without considering instruction set extensions that are available nowadays. The technique presented makes use of this fact.
The whole point is to mislead the person with a potential mischief in their mind. Code of the second example (with pop eax and retn) is what we want to execute and what will be executed.
However, because we inserted a fake byte in front of the pop eax instruction, disassembled code will without paying close attention appear as if there was a call to some location in memory, since most of the less bright disassemblers automatically assume that machine code of a binary has no gaps in it.
This technique is not foolproof. More sophisticated diassemblers will reveal author's true intentions. Also note that if the person trying to break into the code is running it in a debug environment, this technique will once again be of no use.
来源:https://stackoverflow.com/questions/45775933/x86-assembly-two-jump-instructions-with-the-same-target