Analysis of SMC Technology

SMC is the abbreviation of Self-modifying code. as its name implies, it is "code self-modification", that is, it can be modified before a piece of code is executed.
SMC technology is very popular in the DOS era, because the DOS era is closer to the underlying system. So even the current implementation of SMC technology, assembly code is the most convenient.

'The use of this feature of SMC technology, when designing an encryption scheme, you can save the code in an executable file in encrypted form, and then dynamically decrypt the code when the program is executed, this can effectively deal with static analysis. Therefore, to understand the function of the encrypted code, you only need to dynamically track or analyze the location of the decryption function and write a program to decrypt the code. '
In practice, SMC technology is widely used, not just for reverse tracking. This is determined by the user's thinking.
However, some may say that SMC is outdated today. However, this does not affect the understanding of SMC Technology for beginners like me, but at least the concept of SMC.

The following uses Lao Luo's routine to describe the application of SMC technology:

Is compiled, althoughSMCIt is not a compilation patent!
Friends who pass by may be upset about long compilation codes, but it doesn't matter.
Here is a guide:
We can understand the routine structure

1. Invoke showmessage
2. Modify showmessage Proc.
3. Invoke showmessage

Okay.
Let's look at Lao Luo's source code:
Statement:
For the ring3 program, the. Code segment is not writable by default! Therefore, the attributes of MASM are changed through links:

ML/C/coff % 1.asm
Link/subsystem: Windows/section:. Text, RWE % 1.obj

/Section:. Text, RWE specifies that the attribute of the code segment (. Text) is RWE, meaning: R (readable), w (writeable), E (executeable )!

; **************************************** *******; Program name: demonstrate SMC principle; Author: Luo Cong; date: 2002-10-2; Source: http://laoluoc.yeah.net (laoluo's colorful world); Note: If you want to reprint, please keep the program complete, and noted:; reprinted from the "Luo's colorful world" (http://laoluoc.yeah.net ); **************************************** *******. 386. model flat, stdcalloption Casemap: noneinclude \ masm32 \ include \ windows. incinclude \ masm32 \ include \ kernel32.incinclude \ masm32 \ include \ user32.incincludelib \ masm32 \ Lib \ ker Nel32.libincludelib \ masm32 \ Lib \ user32.libshowmessage protoreplacement Proto. dataszmsg1 DB "this is the code before SMC is executed! ", 0szmsg2 DB" SMC has been executed! ", 0 szcaption DB" SMC demo by LC, 2002 ", 0replace_len dd 0. codemain:; the first time the subroutine showmessage is executed, the SMC operation invoke showmessage Lea eax, replacementend is not executed yet; end Lea edX, replacementstart of the number replacement; start of the number replacement sub eax, EDX; the length of the replacement mov replace_len and eax; Save the length; key code !!!!!!!!! Lea ESI, replacementstart; Start Lea EDI and showmessagestart of the replacement; Start mov ECx and replace_len of the original program showmessage; end rep movsb; here is the most critical statement !!! Execute the SMC operation! The second time the subroutine showmessage is executed, the SMC operation has been executed. In other words, the showmessage content is not the content of the first run: invoke showmessage invoke exitprocess, 0 showmessage proc; if ":" is used here, we can make the label a global showmessagestart: invoke MessageBox, null, ADDR szmsg1, ADDR szcaption, mb_ OK showmessageend:; Use NOP to reserve space, otherwise, an unpredictable error may occur: NOP retshowmessage endpreplacement proc; code to be used for SMC: replacementstart:; invoke MessageBox, null, ADDR szmsg2, ADDR szcaption, mb_ OK or mb_iconinformation push mb_ OK or mb_iconinformation Lea eax, szcaption push eax Lea eax, szmsg2 push eax push null Lea eax, MessageBox call eax replacementend: retreplacement endpend main

The result of the second showmessage proc execution is different from that of the first execution.
Because the showmessaeg proc content has been changed before the second execution
The results are certainly different.

In the same way as the brute-force software, different results are returned by manually modifying the code of a certain region!
Here is the self-modifying code, which can be modified by the machine.

So,SMCIt is very practical and at least something you need to know!