Dynamic obfuscation by self-modifying code

Posted by Fallout2 on Stack Overflow See other posts from Stack Overflow or by Fallout2
Published on 2010-12-27T20:02:13Z Indexed on 2010/12/28 10:54 UTC
Read the original article Hit count: 206

Filed under:
|
|

Hi all,

Here what's i am trying to do:

assume you have two fonction

void f1(int *v)
{
   *v = 55;
}
void f2(int *v)
{
   *v = 44;
}

char *template;
template = allocExecutablePages(...);

char *allocExecutablePages (int pages)
{
    template = (char *) valloc (getpagesize () * pages);
    if (mprotect (template, getpagesize (),
        PROT_READ|PROT_EXEC|PROT_WRITE) == -1) {
            perror (“mprotect”);
    }
}

I would like to do a comparison between f1 and f2 (so tell what is identical and what is not) (so get the assembly lines of those function and make a line by line comparison) And then put those line in my template.

Is there a way in C to do that?

THanks

Update

Thank's for all you answers guys but maybe i haven't explained my need correctly.

basically I'm trying to write a little obfuscation method. The idea consists in letting two or more functions share the same location in memory. A region of memory (which we will call a template) is set up containing some of the machine code bytes from the functions, more specifically, the ones they all have in common. Before a particular function is executed, an edit script is used to patch the template with the necessary machine code bytes to create a complete version of that function. When another function assigned to the same template is about to be executed, the process repeats, this time with a different edit script. To illustrate this, suppose you want to obfuscate a program that contains two functions f1 and f2. The first one (f1) has the following machine code bytes

Address Machine code
0          10
1          5
2          6
3          20
and the second one (f2) has
Address Machine code
0          10
1          9
2          3
3          20
At obfuscation time, one will replace f1 and f2 by the template
Address Machine code
0           10
1           ?
2           ? 
3           20
and by the two edit scripts e1 = {1 becomes 5, 2 becomes 6} and e2 = {1
becomes 9, 2 becomes 3}.


#include <stdlib.h>
#include <string.h>

typedef unsigned int uint32;
typedef char * addr_t;

typedef struct {
uint32 offset;
char value;
} EDIT;

EDIT script1[200], script2[200];
char *template;
int template_len, script_len = 0;
typedef void(*FUN)(int *);
int val, state = 0;

void f1_stub ()
{
if (state != 1) {
patch (script1, script_len, template);
state = 1;
}
((FUN)template)(&val);
}

void f2_stub () {
if (state != 2) {
patch (script2, script_len, template);
state = 2;
}
((FUN)template)(&val);
}

int new_main (int argc, char **argv)
{
f1_stub ();
f2_stub ();
return 0;
}

void f1 (int *v) { *v = 99; }
void f2 (int *v) { *v = 42; }

int main (int argc, char **argv)
{
int f1SIZE, f2SIZE;
/* makeCodeWritable (...); */
/* template = allocExecutablePages(...); */
/* Computed at obfuscation time */
diff ((addr_t)f1, f1SIZE,
(addr_t)f2, f2SIZE,
script1, script2,
&script_len,
template,
&template_len);
/* We hide the proper code */
memset (f1, 0, f1SIZE);
memset (f2, 0, f2SIZE);
return new_main (argc, argv);
}

So i need now to write the diff function. that will take the addresses of my two function and that will generate a template with the associated script.

So that is why i would like to compare bytes by bytes my two function

Sorry for my first post who was not very understandable!

Thank you

© Stack Overflow or respective owner

Related posts about c

    Related posts about assembly