Anti-disassembly technology of MASM

Source: Internet
Author: User

Because the assembly language is the machine code one by one corresponding to the machine, so the code of the program is very concise, compiled, linked to the program will not add any other code, so, with Win32dasm and other assembly tools to disassemble assembly language written procedures, the listed assembly code almost with the sequence of writing, process, The code is exactly the same, which is also a concise evidence of assembly language.
But this is too concise code to give the cracker to provide convenience, the cracker only need to have a certain Windows SDK programming and assembly experience, crack is very simple, do not need to use softice these dynamic tools can be cracked. Therefore, the corresponding technology to prevent tracking out, such as flower instructions, not according to the rules to invoke the API, and so on, today to spend instructions and research.
Flower instruction, in fact, is to add some bytes in the program to interfere with static tool disassembly, after all, the Assembly tool no one's thinking, so this trick is very good trick.
Open EditPlus, create a new Asm-sample file, and enter the following code:
.386
. Model Flat, stdcall
Option Casemap:none

Include Windows.inc
Include User32.inc
Include Kernel32.inc

Includelib User32.lib
Includelib Kernel32.lib
. Data
Welcome db "Welcome to the world of Assembly", 0
. CODE
START:
Invoke Messagebox,0,offset welcome,0,0
Invoke exitprocess,0
End START
Save, Ctrl + 1 compile.
With Win32dasm Open the compiled file, you can see the MessageBox and ExitProcess names we used in its menu command [function]->[input], in the menu command [reference]->[string] To see the value of the string welcome we defined, if your program's code is to make an error after the user enters the wrong registration code, then, the cracker only need to find the address of the string used in the dialog box, and then look up the jump instructions to jump to this address, change instructions can be easily cracked, we have to do, is to hide the string and not let the cracker easily find its address, as follows:
; Close the Win32dasm First (hereinafter).
... ...
Lea Eax,welcome
Invoke messagebox,0,eax,0,0
... ...
That is, instead of using a flower instruction, we pass the address of the string to the EAX and then eax it as an argument to the MessageBox when we use the string, and win23dasm these disassembly tools are not recognizable, okay, With Win32dasm to reopen the compiled file, in the [Reference] menu, [string] This gray display, hint that this program has no strings, cheated it! ^_^
There is also the use of flower instructions, the flower instruction can not only make the disassembly tool cannot recognize the string, but also let them compile the wrong code, the flower instruction is generally using some useless bytes to interfere with, but the interference disassembly byte is still available, like this:
... ...
JZ @F
JNZ @F
www db "Welcome to the world of Assembly", 0
@@:
Lea Eax,www
Lea Ebx,welcome
Invoke messagebox,0,eax,ebx,0
Invoke exitprocess,0
... ...
After compiling and then using WIN32DASM to open the EXE, found not only [string] This gray display, the disassembly of the code has become unrecognizable, now the program has very little code, if the code a lot, the crack is not dizzy to blame, but this will only put some of the primary cracker baffled, Experienced crackers according to JZ and JNZ jump whether to point to the non-existent address and know that the use of flower instructions, can also be based on the use of MessageBox address to analyze, we now have to do is to use the manual call API add flowers instructions to cheat disassembly tool, as follows:
... ...
Lea Eax,welcome
Push 0
Push 0
Push EAX
Push 0
JZ @F
JNZ @F
www db "Welcome to the world of Assembly", 0
@@:
Call [MessageBox]
Invoke exitprocess,0
... ...
(The above Code WINDASM32 Gold version can be correctly identified)
That is, after pressing the parameter, do not use call to invoke the API immediately, but to use the flower instruction before the call, what will the result be? Compile after disassembly, see, not only [string] this gray display, [function]->[input] is also a gray, ha, cheated! And then look at the compiled code, God, a mess, if the code is in a hundreds of K program, I see that the cracker how to deal with, Ha, he is not dizzy to blame!
A little more ruthless:
;=================
; Complete API Flower Instruction example:
;=================
.386
. Model Flat, stdcall
Option Casemap:none; Case-insensitive (not valid for APIs and API constants)
;_____________________________________________________________
Include Windows.inc
Include User32.inc
Include Kernel32.inc

Includelib User32.lib
Includelib Kernel32.lib
. CODE
START:
Push 0
Push 0
Push offset Welcome
Push 0
JZ @F
JNZ @F
Welcome db "Welcome", 0
@@:
MOV eax,[messagebox+4]
Sub eax,4
JNZ @F
WELCOME1 db "Welcome", 0
@@:
Call EAX
Invoke exitprocess,0
End START
Then look at the disassembly code, more!@$$%#!@#$.
By the way, the "complete API flower Instruction example" above is as effective against SoftICE, although SoftICE can interrupt the above program with MessageBoxA, but its disassembled code is just as miserable,

However, the program also do not use the flower instruction too much, usually only in the key code to use these, if you use the entire program is a flower instruction, not only will let the cracker annoyed, will make you annoyed-so many $%@$!@##@ #的代码, how you maintain AH. Ha...

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.